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Precedence; ROUTINE Date; 07/26/2004 

To; San Francisco 
From; San Francisco 

Squad 14G-Cv berscruad. San Jose Resident A gency 
Contact; SA | 

Approved By; I | a^ 

Drafted By; | 1 wlig-'Z- 

15^531^04 

Case ID #; 288A-SF-NSW (Pending) 

Title; UNSUB (S), 

AKA MYDOOM VIRUS; 

GOOGLE - VICTIM; 

YAHOO - VICTIM; 

LYCOS - VICTIM; 

COMPUTER INTRUSIONS-CRIMINAL MATTERS 


Synopsis; Request to open a new 288A case at San Francisco 
based on reports that users of popular internet search engines 
were unable to access major search engine websites or 
experienced slowness due to the MyDoom virus, which flooded 
major search engines with automated searches. 

Enclosure(s) ; CNN.com website article ( htto://www.cnn.com ) on 
the release and impact of the MyDoom virus, dated 07/26/2004. 

Details; On 07/26/2004, CNN.com ( htto://www.cnn.com )reported 
that internet search engines, such as Google 
( http: / /www. google. com ) , Yahoo ( http: / /www. yahoo. com ) , and 
Lycos ( http: //WWW. Ivcos. com ) were unable to provide search 
results to a number of web surfers probably due to a new 
variant of the MyDoom virus. The problem began at 
approximately 11:30AM Eastern Time. 


The virus uses search engines on infected computers 
to look for more e-mail addresses in order to keep replicating 
itself. 


It i s recommended that this matter be opened and 
assigned to SA | ~| 


♦♦ 



lh C/V 


7/»A/r*/ 




S~ '— l4/l i/l/( 







UNCLASSIFIED 


o http; //securityresponse. Symantec. com/avcenter/v.enc/data/w32 
♦ mydoom. m@min, html 

o http; //www. f-secure. coin/v-descs/mydoom m. shtml 

SjAttachments: 

None. 
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File Number 7 • . 


' Field Office Acquiring Evidence 
Serial # of Originating Document_ 

$ J M 

Date Received ^ 


From 


(Name of Contribulof/Interviewee) 


(Address) 


(City and State) 


By 


To Be Returned □ Yes ET^o 

Receipt Given D Yes [Z No 

Grand Jury Material - Disseminate Only Pursuant to Rule 6 (e) 
Federal Rules of Criminal Procedure 

□ Yes 

Federal Taxpayer Information (FTI) 

□ Yes 


0^No 

eTno 


Title: 






Reference: 


(Conmunication^nclosing MateriaJ). ., 
X V 




Description: D Original notes re interview of 

—-1—- 
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FD-50^1 (Rev. 7,-15-97) 


FEDERAL BUREAU OF INVESHGAHON 

Date: 07/29/2004 

Attn: Computer Investigations Unit, Room 11887 

Computer Investigations and Infiastructure 
Threat Assessment Cmter 
(CID/NSD) 


ALL DIFOPHATION COimiMED 

HEFIIH IS UNCLASSIFIED 

DATE 07-06-2009 BY 60322/UC/LRP/PLJ/sdD 


Title: Subject: UNSUB (S), A.K.A. MyDoom Virus; 

Googl^ Yahoo j, Lycros j. Al _ 

Type: Computer Tn-hruslon,* _ 

Uate: 07/26/2004 _ 

SUBMISSION: S Initial □ Supplemental □ Closed 

CASE OPENED: 07 ^ 26 ^ 2004 

CASE CLOSED: / / 

□ No action due to state/local prosecution (Name/Number: 

□ USA declination 

□ Referred to Another Federal Agency (Name/Number: _ 

□ Placed in unaddressed work 

□ Closed administratively 

□ Conviction 


COORDINATION: FBI Field Office San Francisco 


Government Agency 


Private Corporation 


VICTIM 


Company name/Govemment agency: Google , Mt • View , CA; 

Yahoo, Santa Clara, CA; 

Address/location: A11 ;=? -i s t ;=i ^ _ T>pi In ^ ^ 

CA; Ly c o s / W a Thh^m-^ MA 

Purpose of System: Internet Search Engines 


Highest classification ofinfermation stored in system: Unknown 



_ ) 

) 


]^«edence: Routine 

To: Director, FBI 


'S’^'From: SAC, San’ Francisco 


Approved By: 

Drafted By: [ 

Case ID#: 288 A‘SF- 136551- 03 


>1X 


Sf- ^^654 - 03 





To: Director, FBI I^h: SAC, San Francisco 
Re: 28S^-SF-136551 , Date 07/29/2004 


System Data: 

Hardware/configuration (CPU): _ Unknown 

Operating System: _ 

Software: _ 


Security Features: 

Security Software Installed: □ yes (identify 

Logon Warning Banner: D yes D no 


Unknown 


3 n no 


INTRUSION INFORMATION 

Access for intrusion: C? Internet connection D dial-up number □ LAN (insider) 

If Internet: Internet address: _ 

Network name: _ 


Method: 


Technique(s) used in intrusion: 


DDOS 


(list provided) 


Path ofintrusion: 

addresses: 1. 

country: 1. 2. 

fecility: L 2. 



3. 

3. 

3. 


Subject: 

Age: _ Race: _ 

Sex: _ Education: 

Alias(s): _ 

Group Affiliation: _ 

Employer: _ 

Known Accomplices: _ 

Equipment used: 

Hardware/configuration (CPU): _ 

Operating System: _ 

Software: _ 


4. 

4. 

4. 


5. 

5. 

5. 


Motive: 


Impact: 


Compromise of classified infcrmation: 

Estimated number of computers afected: 
Estimated dollar loss to date: _ 


□ yes K! no 
Unknown 
Unknown 





‘To: Director, FBI 
Re: 28.8-A-SF—13653 




SAC, San Francisco 
Date 07/29/2004 


Category of Crime: 

Impairment: 

□ Malicious code inserted 
® Denial of service 

D Destmction ofinfermation/sofiware 
n Modification ofinfeimation/soffware 


Theft of Information: 

□ Classified infcrmation compromised 

□ Unclassified infcimation compromised 

n Passwords obtained 
D Computer obtained 

n Telephone services obtained 

D Application software obtained 
n Operating software obtained 


Intrusion: 

□ Unauthorized access 

D Exceeding authorized access 


REVTARKS 

On 07/26/2004, popular internet search engines were unable to provide 
search results to a number of web surfers due to a .new variant of the MyDoom 
. virus. > 

The virus uses search engines to look for more e-mail addresses in order 
to keep replicating itself. 
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( 


Menu 

Technology(s) Used: 


Top Screen Secondary Screen 

Protocol Attacks: 



IP 

□ 

spoofing attack 



□ 

source routing 

e 

TCP 

□ 

sequence number attack 

□ 

UDP 

□ 

spoofing attack 



□ 

flooding 

□ 

FTP 

□ 

vulnerable version 



□ 

SITE EXEC 



□ 

overload FTP buffer 



□ 

anonymous FTP 

□ 

Telnet 

□ 

hi-jacking 



□ 

packet sniffing 

□ 

TFTP 



□ 

r commands 

□ 

rsh 



□ 

rlogin 

□ 

SMTP 

□ 

vulnerable version 



□ 

spoofing 



□ 

embedded postscript attack 



□ 

trojan horse attack 



□ 

sy slog attack 



□ 

flooding 



□ 

MIME 

□ 

HTTP 

□ 

flooding 



□ 

Telnet to HTTP port 

□ 

gopher 
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XI1 window 
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□ SNMP 

□ FSP 

□ NFS 
Other Attacks: 

Worm 

□ Social engineering 

□ Scavenging and reusing 

□ Masquerading 

□ Scanning 

□ Trojan Horse 

□ Other 



□ vulnerable version 

□ flooding 
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U.S. Department of Justice 


Federal Bureau of Investigation 


In Reply, Please Refer to 
FileNo.^gg^,gp, \^Q,55\-A 


450 Golden Gate Ave. 

PO Box 36015 

San Francisco, CA 94102 
(415)553-7400 
July 28, 2004 


Attention: | 

iiycos Legal Department 


Dear 


This letter is to document the conversation yesterday, 
07/27/2004, regarding our investigation into the impact of the MYDOOM 
COMPUTER VIRUS on your organizati on. Parties to the co nvp^rpah-i nr^ 


include d yourself. Special Agents 


and 


If you have any further questions, or additional 
information, please contact Special Agent I 


Sincerely, 


ALL IHFOMIATIOM COMTAIITED 
HEEEIM IS UNCLASSIFIED 

DATE 07-06-2009 BY 60322/UC/LRP/PLa/3db 


Mark J. Mershon 
Special Agent in Charge 


By: 


Supervisory Special Agent 






V 


HP OfficeJet K Series KSOxi 
Personal Printer/Fax/Copier/Scanner 


Log for 


HT Internet_ 

Jul 28 20U4 3'A‘ipm 
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Last Transaction 

Date Time Type Identification 

Jul 28 3:42pm Fax Sent I 


Duration Pages Result 
0:22 1 OK 


ALL IHFOPHATIOW CCiLrTAIHZD 

HEBEIN IS UNCLASSIFIED 

DATE 07-06-2009 BY 60322/UC/LRP/PLa/sdb 
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ALL IIIFDRMATIOIJ COTITAIHED 

HEPIIIJ IS UNCLASSIFIED 

DATE 07-06-2009 BY 60322/UC/LRP/PLJ/3dl) . j. 

FEDERAL BUREAU OF INVESTIGATION 


Date of transcription 08/16/2004 


On August 11, 2004, 
in Mountain View, California, 


Legal Counsel at Google, 
telephone number 650/623-6048, was 


interviewed telephonically and advised of the identi ty of the 
interviewing agent and the nature of the interview. | | provided 

the following information: 


GOOGLE is not currently experiencing any a ffects from the 
MYDOOM virus that initially struck on July 26, 2004. | | advised 

that representatives from GOOGLE are working on preparing an 
analysi s of t he financial loss suffered by GOOGLE due to the MYDOOM 
virus. I I believes it will be approximately $100,000. 

I I advised that she has the IP addresses of the first 
ten hosts that queried the GOOGLE search engine related to the 
MYDOOM attack and said that she would send the information to me 
via email. The resulting email is attached to and made a part of 
this FD-302. 


Investigation on 08/11/2004 at Quantico, Virginia 


(telephonically) 


File# 288A-SF-136551-5 


Date dietated 08/16/2004 


by 





This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency; 
it and its contents are not to be distributed outside your agency. \ s 

o 2?8'A'3F- Wt-)-i.?e.2.w^i 








FD-302 (Rev. 10-6-95) 


ALL INFORIIATION COMTAIEED 
HEREDI IS UIJCLASSIFIED 

DATE 07-06-2009 BY 60322/TJC/LRP/PLJ/sdt. 

- X - 

FEDERAL BUREAU OF INVESTIGATION 


Date of transcription 07 /27 /2 004 


On J uly 27, 




2004. 1 

San Francisco, 


] 


_[LYCOS in San Francisco, California, telephone number 

(650)428-5000, was interviewed telephonically and advised of the 
identity of the in terviewing agents and the nature of the 
interview. 


provided the following, information; 


Between 8:30AM and 9:00AM Eastern Daylight Time (EDT) on 
07/26/2004, the servers at Lycos were impacted by the MYDOOM virus. 
Between 9:00AM and 10:00AM eastern, legitimate web users' 
availability to search results conducted by LYCOS was at 37%. By 
11:00AM eastern, availability was less than 4%. 


By 7:30PM eastern, LYCOS had implemented filters on 
searches coming into the servers on certain text strings like 
"mail", "reply", "rcpt", and "contact" that they noted were being 
queried by the virus. By applying these filters, they were able to 
block the searches committed by the virus and allow regular users 
to access the search functions of LYCOS. LYCOS could not simply 
block an Internet Protocol (IP) address or range of IP addresses 
because of the distributed nature of the virus. 


I_[noted that traffic to the LYCOS website was at 

approximately 50 times normal levels on 07/26/2004 and continues to 
fluctuate between 30 and 50 times normal levels on 07/27/2004, but 
that, due to the filters implemented by LYCOS, their search 
functions are running normally for most users. 


Investigation on 07/27/2004 at San Jose, California_ (telephonically) 


File# 288A-SF-136551 - 0 
SA I 

by SA I_ZZ 




Date dictated 07 / 27 / 2004 


This document contains neither recommendations nor conclusions of the FBI. 
it and its contents are not to be distributed outside your agency. 


It is the property of the FBI and is loaned to your agency; 
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Date of transcription 07 /27 72004 


4 


On July 27, 2004,f 


, MCAFEE, telephone 
number (503)466-4484, were interviewed telephonically and advised 
of the ide ntity of the i nterviewin g agents and the nature of the 
interview. I h nd' ' 


an 


information: 


provided the following 


The 15th variant of the MYDOOM virus was first noticed by 
MCAFEE on July 26, 2004 at approximately 6:30AM pacific time. The 
virus affected major search engines while trying to search for 
additional email addresses to send itself to, as well as several 
corporate customers whose mail servers were temporarily 
overwhelmed. 


The virus harvests email addresses from a local, infected 
computer, then searches the domain name of the email addresses 
through the major internet search engines, in an attempt to locate 
additional ema il address es. While th e search' engines were flooded 
with searches, and | | believe they were not the 

primary target. 


The virus also installs a backdoor on TCP Port 1034 that 
future users and/or viruses can exploit. MCAFEE has already seen 
viruses discovered on July 27, 2004 that exploit this open port, 
but does not think they were necessarily written by the same author 
as the MYDOOM virus. 


and noted that there 
or identitying aoout the virus executable. They 
source code of the virus. 


was nothing 
do not have 


unique 

the 


Investigation on 07/27/2004 at San Jose, California_ (telephonically) 


File » 
by 


288A-SF-136551 

SA| 

SA 


-7 

lwl>»^ 



Date dictated 07/27/2004 


This document contains neither recommendations nor conclusions of the FBI. 
it and its contents are not to be distributed outside your agency. 
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It is the property of the FBI and is loaned to your agency; 
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Precedence; ROUTINE 


• Date: 12/17/2004 


To; San Francisco 
From: San Francisco 

Squad 14G-Cv bersquad, San Jose Resident Agency 
Contact; SaI I 


Approved By: I 

Drafted By: | | wl 

Case ID #: 288A-SF-136551-ft(Pending) 

Title: UNSUB(S) 

aka MYDOOM VIRUS; 

GOOGLE - VICTIM; 

YAHOO - VICTIM; 

LYCOS - VICTIM; 

COMPUTER INTRUSIONS-CRIMINAL MATTERS 


Synopsis: Request to close captioned matter. 

Details: At 11:30AM Eastern time on 07/26/2004, internet 

search engines Google (http://google.com), Yahoo 
(http://yahoo.com), and Lycos (http://lycos.com) were unable 
to provide search results to a number of users for several 
hours due to a variant of the MyDoom virus (Mydoom.m) and 
Zindos worm. 


On 07/28/2004, Special Technologies and Applications 
Section (STAS) assistance was requested in analyzing the 
source code of Mydoom.m and Zindos. 

On 12/14/2004, STAS advised that the analysis of 
Mydoom.m and Zindos was complete. Strings and source code of 
the virus/worm were examined for clues as to the identity of 
the author, but none were found. 

Determination of the original author is therefore 
deemed impossible and the case is being closed. 


SF Field liitel%eace Group 

Potential Intel Value: Yes ^No ^ 

ReviewedBv : Date: 

S-Drive Location:_ . 



35^ S-vj! O^.ize:- 
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Agent 


-Ibe—Ecillowing investigation was conducted by Special 


On December 14, 2 004, Special Agent| 


received 

from STAS the Technical Lead Report on the Analysis of Mydoom- 
M/Zindos Worms. The report found no clues as to the identity 
of the author of either computer worm. The report is attached 
to and made a part of this document. 


ALL INFORHATION COHTAIHED 
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Federal Bureau of Investigation 
CyberDivision 

Special Technologies And Applications Section 
Technical Analysis Unit 
Technical Lead Report 

FOR LEAD PURPOSES ONLY 


To 1 

Distribution To: XXX 


Date: 11/22/04 


Submitter’s Case Number: 288A-SF-136551 


Re: Analysis of MyDoom-m/Zindos Worms 


Title: Anaysis of Mydoom-m/zindos worms 


Electroiuc Location: \\smb00\cases\ProductReports\2004_Reports\STAS- 


Prepared By: | | 

Phone Number: | 



Approved: XXX 

Phone Number: XXX 

STAS Control File: 288A-SF-136551 

Primary Report ID: STAS04-XXX 

MATS ID: 2004-XXX 


THIS REPORT IS FURNISHED FOR OFFICIAL USE ONLY. NO PART OF THIS REPORT MAY BE DISCLOSED TO ANY THIRD PARTY WITHOUT THE 

express WRITTEN CONSENT OF THE FBI/CYD 


UNCLASSIFIED 
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1. Media Type and Quantity: 1 CD w/zip file containing Mydoom-m worm 

2. Analysis Requested: 

• Assist in analysis of Mydoom-M Virus 

• Obtain a copy of zindos worm and analyze 


OjExecutive Summary: 

A copy of the Zindos worm was obtained. Both Zindos and Mydoom-m (provided) were analyzed using IDA Pro (static 
disassembly of binary). Strings and code were examined for clues as to the identity of the author, but none were found. 


S^Details of Analysis: 

Zindos worm 

• A copy of the zindos worm was obtained from a 3ed party source. 

• It was loaded into IDA Pro for disassembly and analysis 

• Disassembly revealed that zindos goes into a tight loop (every 50ms) trying to connect to www.microsoft.com 

• The code was examined looking for identifying information such as names, email addresses, comments or IP addresses that 
might help identify the author. None were found. 

Mydoom-m worm 

• The worm was run in isolation and network traffic was recorded. Without being able to reach the Internet, the worm 
performs lookups for the mail server (MX) for the following domains: 

13 cvs.tartarus.org: type MX, class inet 
13 gto.net.om: type MX, class inet 

13 kohls.com: type MX, class inet 

14 lebanon-online.com.lb: type MX, class inet 
14 msdirectservices.com: type MX, class inet 
17 petri.co.il: type MX, class inet 

14 target.com: t^e MX, class inet 
14 tucows.com: type MX, class inet 
13 ultraschallpiloten.com: type MX, class inet 


(the number in front is a count of the occurrences during the test run). 

[Analyst Comment on above list: It is likely that this is a list of known “open relays” at the time the worm was released. 
The intent is likely to use them to send the initial round of messages.] 

• Mydoom-m was loaded into IDA Pro for disassembly and static analysis. A cursory analysis of the code was consistent with 
analysis provided by commercial anti-virus vendors and security organizations at 


o http: //www. trendmicro. com/vinf o/virusencyclo/def aultS ♦ asp?VName=WORM MYDOOM. M 
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TECHNOLOGY 

Google says MyDoom virus caused problems 


Monday, July 26.2004 Posted; 4:21 PM EOT (2021 GMT) 

(CNN) - The No, 1 Internet search engine 
on Monday was unable to provide search 
results to a number of Web surfers, 
probably because of a variant of the 
MyDoom virus. 


Users of other popular search engines such as 
Yahoo and Lycos may also have experienced some 
sluggish behavior. 


Google released a statement to CNN at 3 p.m. ET 
saying the site "experienced slowness for a short 
period of time early today because of the MyDoom 
virus, which flooded major search engines with 
automated searches. 


"A small percentage of our users and networks that 
have the MyDoom virus have been affected for a 
longer period of time. At no point was the Google 
Web site significantly Impaired, and service for all 
users and networks is expected to be restored 
shortly." 


According to several media accounts, the problem 
began about 11:30 a.m. ET, and by 3 p.m. the site 
seemed to be running smoothly again. 


The SANS Institute and other security firms issued 
a release shortly after the problem was detected 
saying a new variant of the MyDoom virus could be 
to blame. The latest Incarnation of the troublesome 
virus uses search engines on Infected computers to 
look for more e-mail addresses In order to keep 
replicating itself. 


Experts contacted by CNN were unable to 
determine the exact magnitude of the problem. 



RELATED 

• CNN/Money: Google IPO worth up to S3.3B 
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Computing and Information Technology 
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Some users across the United States reported no 
trouble with Google or other search engines. 

For other people, although the main Google page was able to load, they reported seeing a "server error" 
message when trying to conduct a search. 

Google also announced details of its initial public offering Monday, with share prices of between $108 and 
$135. Experts consider those figures to be very high, leading some observers to initially speculate that 
Google was the victim of a vindictive hacker attack. . , . 
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